Recent research revealed that most of the ATM’s around the world are vulnerable to compromise and cash out from the ATM by attackers within 30 min.
Cyber criminals are using various sophisticated methods including physical access and remote access by compromise the bank network in order to steal the money from ATM.
Recent ATM based attacks targeted by Malicious hackers stealing cash from cardless ATM using a new form of SMS phishing attack that force let user give away their bank account credentials into the phished website.
U.S. Secret Service also warned the new form of ATM Skimming Attack called “Wiretapping” targeting the financial institutions by creating a small size of the hole in the ATM machine and steal the customer data directly from card reader inside of the ATM Mchine.
Also, attackers trying to inject the ATM malware families such as Alice, Ripper, Radpin, and Ploutus, that is frequently available on the dark web market.
A researcher from PT Security tested around 26 ATMs models and performed deep security analysis revealed that ATM’s are vulnerable in the following 4 categories.
- Insufficient network security
- Insufficient peripheral security
- Improper configuration of systems or devices
- Vulnerabilities or improper configuration of Application Control
In order to compromise the ATM network, attackers targeting bank networks by intercept and spoof traffic, and attack network equipment.
Attacks Scenarios to Compromise ATM
There are 2 categories mainly used by an attacker to compromise and cashout from the ATM. First is fall under the scenario of obtaining money from the ATM and the second one is steal the user’s card data by copying it when they use it to cash-out.
Network attacks
Intially, the network-level attacks are most commonly used attack by compromising the Bank network remotely that connected with ATM who can be the employer of the bank or internet service provider.
This scenario takes just 15 mins to access the ATM network both physically or remotely and 85 % of the ATM’s are vulnerable to such attacks.
Spoofing of the Processing Center
This attack scenario could be possible if data between the ATM and processing center is not secured and the attack manipulates transaction confirmation process which is performing while processing center emulator receives the request from the ATM and command to dispatch to the user.
This attack can be successfully performed when data between the ATM and processing center is not specially encrypted, VPN protection is poorly implemented, Message Authentication Codes are not used in transaction requests and responses. 27% of ATM machine can be compromised by this attack.
Exploiting the Network Service Vulnerabilities
Attackers exploiting the network service vulnerabilities by execution the remote code into the vulnerable network that leads to turning off the security system that implemented by the bank and dispatches the cash from ATM.
Mostly this type of attacks targeting when the Bank failed to implement the proper firewall, out of date software, misconfigured security systems and 58% of ATMs are vulnerable to this attack.
Compromise the Network Devices
Compromising the network devices that connected to the ATM machine leads to successfully obtain the full control of the ATM machine and command to cash out remotely.
This scenario leads to compromise all the ATM machine that connected to the attacked network and 23 % of tested ATM machines are vulnerable to such kind of attacks.
Physically Access the ATM cabinet
In this kind of ATM Attacks, cyber criminals directly drill the ATM machine inorder to access the dispenser cable. unlike cash dispenser which is protected inside of the ATM, the connection of the cash dispenser to the ATM computer is located outside that is completely unsafe.
IN This case, once the access the dispenser cable, they connected it to their own device and command it to send the cashout. shockingly 63% of ATM’s are vulnerable to this kind of attack.
Connection to the hard drive
Attackers trying to connect to the ATM harddrive through bypass the security system in order to gain full control of the dispenser also if the hard drive is not encrypted then the attack will load copy the malware that command to dispatch the cash.
Also attackers copy the sensitive files from the hard drive and use it to future attacks.92% of tested ATMs are vulnerable to this kind of attack.
Mitigation Steps to Detect Banking environment Cyberattack
- Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
- Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
- Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
- Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
- Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
- Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
- Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
- Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
- Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
- Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
- Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
- Suspicious Process Activity – Targeted – Executable File Creation Analytic
- Also, you can read Advanced ATM Penetration Testing Methods.
